From owner-freebsd-isp@FreeBSD.ORG  Tue Jul 26 05:52:16 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D1E116A41F
	for <freebsd-isp@freebsd.org>; Tue, 26 Jul 2005 05:52:16 +0000 (GMT)
	(envelope-from andrew@scoop.co.nz)
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [202.50.109.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D812343D45
	for <freebsd-isp@freebsd.org>; Tue, 26 Jul 2005 05:52:15 +0000 (GMT)
	(envelope-from andrew@scoop.co.nz)
Received: from a2.scoop.co.nz (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.13.3/8.13.1) with ESMTP id j6Q5qEqO036350;
	Tue, 26 Jul 2005 17:52:14 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
Received: from localhost (andrew@localhost)
	by a2.scoop.co.nz (8.13.3/8.13.1/Submit) with ESMTP id j6Q5qEa5036347; 
	Tue, 26 Jul 2005 17:52:14 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
X-Authentication-Warning: a2.scoop.co.nz: andrew owned process doing -bs
Date: Tue, 26 Jul 2005 17:52:14 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: Andreas Pettersson <andpet@telia.com>
In-Reply-To: <42E51310.60102@telia.com>
Message-ID: <20050726174743.S5699@a2.scoop.co.nz>
References: <f72a639a050719121244719e22@mail.gmail.com>
	<42DEAE1F.8000702@novusordo.net>
	<d64aa176050720174322ebc621@mail.gmail.com>
	<77588585.20050725010451@rulez.sk> <42E51310.60102@telia.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
	(a2.scoop.co.nz [127.0.0.1]);
	Tue, 26 Jul 2005 17:52:14 +1200 (NZST)
X-Virus-Scanned: ClamAV 0.86.1/992/Tue Jul 26 09:48:49 2005 on a2.scoop.co.nz
X-Virus-Status: Clean
Cc: freebsd-isp@freebsd.org
Subject: Re: ssh brute force
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2005 05:52:16 -0000

On Mon, 25 Jul 2005, Andreas Pettersson wrote:

> Daniel Gerzo wrote:
>
> And here is another one, similar to Daniel's, but this one uses ipfw instead,
> AND another neat thing is that a block isn't permanent. There's a janitor
> cleaning up ipfw rules after a specified time.
>
> http://anp.ath.cx/sshit/
>
> I made it the other day, so I haven't had time to hardcore test it.
> Let me know if it's not working, or if it is ;-)
>

Rather than having a whole bunch of processes running doing this sort of 
thing, at least some of which are important enough to need monitoring 
themselves (eg in my case pop based smtp authentication), it would be nice 
to have a single process monitoring log activity, with some sort of plugin 
system for adding various functionality for monitoring different things 
and taking various actions.

Anyone know of such a beast?  Perl preferred.

Andrew McNaughton